A Durable U.S.-China Trade Accord Requires Agreement on Cybersecurity

Cybertheft, cyberespionage, and cyberterrorism are all problems that can be mitigated by effective cybersecurity measures. But without agreement as to what constitutes legitimate cybersecurity policy, Washington and Beijing will continue to act unilaterally and take shotgun approaches that may mitigate some risk, but at the cost of thwarting trade, opportunities for collaboration, and technological progress. Agreement, now, on how to assess and manage cyber risks and respond to security breaches would go a long way toward providing real security and reducing frictions in the relationship that could spark the next trade war.

In the name of protecting critical economic and national security infrastructure from cyber malfeasance, the United States has adopted some absolutist policies. ZTE and Huawei have recently become household names that Americans may associate with the trade war, but these Chinese information and communications technology (ICT) companies have been in the crosshairs of various U.S. government agencies for many years.

The U.S. government has advised U.S. telecommunications firms that if they wish to participate in federally‐​funded infrastructure build‐ outs, they should purge their supply chains of Chinese ICTs. On a few occasions, the Committee on Foreign Investment in the United States (CFIUS) raised security concerns over prospective acquisitions of U.S. companies by Chinese ICTs. During the past several years, U.S. appropriations legislation has included provisions to prevent certain federal agencies from procuring or using ICT products made by Chinese companies. The recently enacted National Defense Authorization Act precludes universities and other research institutes that receive federal funding from purchasing Huawei equipment. And, reportedly, President Trump has given consideration to an executive order that would ban Huawei and ZTE products, wholly, from the United States as a matter of national security.

Meanwhile, in the name of cybersecurity, the Chinese government has been drafting new laws to keep pace with developments in the fast‐​moving technology sectors. But where these policies are not absolutist, they are opaque. After more than a decade of evolving indigenous innovation and other industrial policies (such as Made in China 2025) geared toward propelling China into a position of global technological preeminence, the Chinese government more recently began to implement a set of laws, which effectively require ICT products and components to be “secure and controllable.” That can mean anything.

These laws may require intrusive security reviews, the breadth and depth and general standards of which remain unclear, as Beijing considers the costs and benefits of alternative approaches. Furthermore, the Cybersecurity Law includes a data localization requirement for operators of critical information infrastructure, which is currently not being enforced after foreign firms and governments registered strong opposition. Moreover, China is drafting a new Foreign Investment Law, which is expected to include new national security review procedures. Wouldn’t it be good if U.S. companies could provide some input here?

Like the United States, China is concerned about cybersecurity and is developing its policies presently. There is opportunity for both governments to collaborate to ensure that these laws are used objectively and for legitimate security purposes, instead of as an excuse for economic protectionism. How the United States proceeds with its cyber policies will undoubtedly impact the development of China’s rules in this sphere. For example, under the recently enacted Foreign Investment Risk Review Modernization Act, CFIUS is now required to consider the cybersecurity implications of prospective acquisitions in its foreign investment review process. China is likely to do the same. And if it does, it would be in the interest of U.S. companies to know what that assessment might entail.

Last month, U.S. officials denied any obligation to furnish evidence to support the administration’s claim that Huawei poses a security threat. Technically, there may be no obligation. But is that the standard U.S. companies want Beijing to adopt? U.S. and Chinese firms are competing on a variety of technology fronts, including 5G, artificial intelligence, and biotechnology. Invoking security to ban legitimate competitors is something that should concern U.S. companies. As for Washington and Beijing, they should understand that such an approach may favor domestic firms in the short run, but in the long run it will upend the technology ecosystem and risk fragmenting standards and the global market into competing spheres. The real and opportunity costs of that outcome would be enormous.

Cyber malfeasance is a real threat to national security and critical infrastructure, which governments have legitimate interests and obligations to protect. But effective cybersecurity measures cannot be developed in a vacuum, as if there were no tradeoffs to consider. ICT products are essential building blocks of the 21st century economy, so cybersecurity policies must strike the proper balance by securing those assets without unnecessarily impeding innovation and economic growth.

Instead of the United States banning certain Chinese telecommunications products and China subjecting U.S. products to unspecified and potentially limitless reviews, which may provide a false sense of security at the cost of balkanizing supply chains, the governments should agree to a framework based on business best practices, that subject all ICT products to an objective, statistically valid, cybersecurity evaluation system. This kind of a system is more likely to suppress protectionism, while delivering real cybersecurity and a more durable economic relationship.